[tor-bugs] #9387 [Tor Launcher]: Tor Launcher/Torbutton should provide a "Security Slider"

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 30 20:59:34 UTC 2014


#9387: Tor Launcher/Torbutton should provide a "Security Slider"
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  gk
  mikeperry              |     Status:  needs_information
         Type:           |  Milestone:
  enhancement            |    Version:
     Priority:  major    |   Keywords:  TorBrowserTeam201410D, tbb-
    Component:  Tor      |  security, tbb-usability, tbb-linkability,
  Launcher               |  tbb-3.0, extdev-interview, tbb-isec-report,
   Resolution:           |  MikePerry201410R, tbb-4.5-alpha
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mikeperry):

 Replying to [comment:57 gk]:
 > Replying to [comment:56 mikeperry]:
 > > gk - I noticed a bug with noscript.globalHTTPSWhitelist. It seems that
 it improperly blocks some elements in https pages unless https: is also
 added to the NoScript whitelist. I notified Giorgio about this bug, but he
 has not fixed it yet. We may want to add "https:" to the NoScript pref
 capability.policy.maonoscript.sites as a workaround until this is fixed.
 >
 > Ok. This actually means adding " https:" just to case 1-3? The first two
 levels leave the NoScript JS related prefs alone but are affected by this
 bug, too, and the fourth level is locking down all JS, so this isn't
 needed there. I am in fact quite confused about these related NoScript JS
 prefs: `noscript.globalHTTPSWhitelist` is supposed to be
 `noscript.globalHttpsWhitelist`, right? And
 > {{{
 > Disable JS for non HTTPS URL Bars -> noscript.globalHTTPSWhitelist
 > }}}
 > in comment:43 is supposed to be
 > {{{
 > Disable JS for non HTTPS URL Bars -> noscript.allowHttpsOnly
 > }}}
 > or am I missing something? How is `noscript.globalHttpsWhitelist` set in
 mode 1-3? Assuming we only disable it in mode 4 I guess we enable it in
 them?

 Well, I don't think `noscript.allowHttpsOnly` exists. We want
 `noscript.globalHttpsWhitelist` to be set only in mode 3. In that mode, we
 also want https: in the whitelist (`capability.policy.maonoscript.sites`).

 In modes 1, 2, and 4 we want `noscript.globalHttpsWhitelist` unset. We
 also want 'https:' removed from  `capability.policy.maonoscript.sites` in
 these modes.

 I will update the summary in comment:43.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9387#comment:58>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list